Anywhere AccessEstablishing End to End Trust

Urs P. KüderliPrincipal Security ArchitectMicrosoft

Flexibility…

Access to information from wherever and wheneverAccess to information on any deviceUser-friendly, transparentLow TCOSecurity

Demand for access

Different access, authentication and authorization systemsDifferent encryption technologiesNo interoperabilityComplexExpensiveSecurity

Escalating threats

Security versus Access

Establish trust…

Trustworthy Computing

Your Processes

Current StrategiesNo Strategy Vision

Integrated Solutions

Defense in Depth

Integrated Identity

SDL and SD3

Threat Mitigation

Point Solutions

Info

rmati

on

Pro

tect

ion

Fire

walls

patc

hin

g

Fire

walls

Anti

-phis

hin

g

Anti

-spyw

are

Anti

-vir

us

Identi

tyM

anagem

ent

Managing Risk, building Trust

phishing

No Policy

viruses

malware

denial of service

data theft

identity theft

End-to-End Trust

“I+4A”

Socia

l

Econom

icTru

ste

d

Sta

ck

Data

People

Software

HardwareIntegrated Protection

SDL &SD3

Defense in

Depth

Threat Mitigatio

n

Polit

ical

Building a trusted Stack

“I+4A”

SDL and SD3

Defensein Depth

ThreatMitigation

Trusted Hardware

SecureFoundation

Core Trust Components

Identity ClaimsAuthentication

AuthorizationAccess Control

MechanismsAudit

Trusted PeopleTrustedStack

Trusted Data

Trusted Software

Integrated Protection

Perimeters and Holes

The hole Picture

The new Picture?

The business case…

The problem…How RAS worked at MSRAS Statistics:

55,000 unique users monthly 850,000 connections/month 45 seconds median time to successfully connect through quarantine1700 Helpdesk calls per month Two Engineers 154 servers

Anywhere Access benefits

Increase AgilityMore easily adapt to changing business needs and workforce trends, including tough new regulatory standards

Boost ProductivityControl IT costs by leveraging existing infrastructure investments

Improve ProtectionProtect critical business information end-to-end and more effectively manage identities across the enterprise

Anywhere Access components (1)

Identity Strong two-factor authenticationRole-based access to resourcesFederation with partners and customersFlexible, pervasive PKI infrastructure

Protection Policy-based security controls and automated remediationLayered endpoint security solutions Secure platformUpdates, anti-malware, firewall verified and controlled by policyAuthenticated transactions via PKI and IPSec/IPv6Endpoint encryption and data access controls

Anywhere Access components (2)

Networks Policy-based network access controls with auto-remediationIPSec support for flexible and secure domain isolationIPv6 for expanded address space and auto-configGateways for older or less-capable platformsAbility to authenticate all network-level transactions

Manageability Define and distribute security and group policiesAsset and configuration managementPatch distribution for applications and OS

Direct Connect Pilot

------------------------------------------------------------------------

------------------------------------------------------------------------

Customer Site

IPv4 Internet

Corporate NetworkIPv6 Network(Dual Stack)

------------------------------------------------------------------

------

IPv4 Packet Clear Text or IPsec Auth

Health Registration(NAP HRA)

DNS& RODC

IPv6Apps

IPv4Apps

Compliant IPv6 Client

Blocks IPsec

VPNServer

Compliant Vista+ Client

Non-CompliantClient

Down-level

VPN

SSL VPN

TeredoRelay

IPv6 Packet – IPsec Encrypted

------------------------------------------------------------------

------

IPv4 Packet Clear or IPsec Auth/Encypt

Dynamic IPsec Tunnel

IPv4 Outer Packet – Clear

Teredo Relay removes outer

packet

NAT-PT

AA brings IT ValueCost Benefits

Reduced MSIT hardware compared to current VPN solutionScalability of Solution Reduced traffic/usage of the Proxies

User Benefits Extends corpnet seamlessly to remote user

No user initiation to connectSingle Sign on Always on

Easy to use; consistent experienceUse Peer to Peer Technologies Security Benefits

Promotes end-to-end host-based securitySystem is always reachable (for scans, Group Policy, patching )Proactive health (always checking for NAP, GPO, can be scanned while remote etc.)

An Integrated Platform

Your MSDN resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx

MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx

MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx

Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch

Your TechNet resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.ch

TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx

Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/

IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.ch NT Anwendergruppe Schweiz: www.nt-ag.ch PASS (Professional Association for SQL Server): www.sqlpass.ch

Save the date for tech·days next year!

7. – 8. April 2010Congress Center Basel

Classic Sponsoring Partners

Media Partner

Premium Sponsoring Partners